AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Deploys the cert-manager helm chart into an existing kubernetes cluster
  (qs-1tshard8j).
Metadata:
  cfn-lint: { config: { ignore_checks: [W9002, W9003, W9004, W9006] } }
Parameters:
  EksClusterName:
    Type: String
  OIDCProviderArn:
    Type: String
  OIDCProviderEndpoint:
    Type: String
  PrometheusEnabled:
    Type: String
    AllowedValues: ['true', 'false']
  FargateEnabled:
    Type: String
    AllowedValues: ['true', 'false']
Conditions:
  Commercial: !Equals [!Ref AWS::Partition, aws]
  EnableFargate: !Equals [!Ref FargateEnabled, 'true']
  EnablePrometheus: !Equals [!Ref PrometheusEnabled, 'true']
Resources:
  CertManagerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Federated": "${OIDCProviderArn}"
              },
              "Action": "sts:AssumeRoleWithWebIdentity",
              "Condition": {
                "StringEquals": {
                  "${OIDCProviderEndpoint}:aud": [
                    "sts.amazonaws.com",
                    "sts.${AWS::Region}.amazonaws.com"
                  ],
                  "${OIDCProviderEndpoint}:sub": "system:serviceaccount:cert-manager:cert-manager"
                }
              }
            }
          ]
        }
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue]
  CertManagerHelmChart:
    # https://cert-manager.io/docs/installation/helm/
    # https://artifacthub.io/packages/helm/cert-manager/cert-manager
    Type: AWSQS::Kubernetes::Helm
    Properties:
      ClusterID: !Ref EksClusterName
      Namespace: cert-manager
      Chart: cert-manager/cert-manager
      Repository: https://charts.jetstack.io
      Values:
        image.repository: quay.io/jetstack/cert-manager-controller
        installCRDs: 'true'
        nodeSelector.kubernetes\.io/os: linux
        prometheus.enabled: !If [EnablePrometheus, 'true', 'false']
        serviceAccount.annotations.eks\.amazonaws\.com/role-arn: !GetAtt CertManagerRole.Arn
        serviceAccount.create: 'true'
        serviceAccount.name: cert-manager
        webhook.securePort: !If [EnableFargate, '10251', '10250'] # https://cert-manager.io/docs/installation/compatibility/